Delegating Setup
Topic Last Modified: 2009-07-20
Some organizations do not want to grant membership in the DomainAdmins group to users or groups who are deploying Office Communications Server. In this case, delegating setup provides a way for you to grant these users or groups the subset of permissions required to install and activate servers running Office Communications Server. You can grant permissions to deploy Office Communications Server by using either the Setup deployment tool (SetupEE.exe for Enterprise Edition server consolidated configuration, or SetupSE.exe for Standard Edition server) or the LcsCmd.exe command-line tool.
Note
Although the process described in this topic grants setup permissions, any user in the trustee group must also be a member of the Administrators group on a computer to install and activate Office Communications Server on that computer. For Enterprise Edition server installation and activation scenarios, the trustee group must also be a member of the Administrators group on the computer running the Microsoft SQL Server back-end database.
Active Directory Service Interfaces (ADSI) Edit is a tool that you can use to find and copy the distinguished name that you need to supply in the wizard. For Windows Server 2003, ADSI Edit is included with the Support Tools. For Windows Server 2008, this tool is included with the Remote Server Administration Tools (RSAT).
For Windows Server 2003, Support Tools are available from the Windows ServerĀ 2003 CD in the \SUPPORT\TOOLS folder, or you can download them from Windows Server 2003 Service Pack 2 32-bit Support Tools at https://go.microsoft.com/fwlink/?LinkId=125770. Instructions for installing the Support Tools from the product CD are available from Install Windows Support Tools at https://go.microsoft.com/fwlink/?LinkId=125771. Adsiedit.dll is automatically registered when you install the support tools. If, however, you copied the files to your computer, you must run the regsvr32 command to register the adsiedit.dll file before you can run the tool.
For Windows Server 2008, the RSAT package is copied to the server by default when you install Windows, but it is not installed by default. You use Server Manager to install individual tools. ADSI Edit is included under Role Administration Tools, Active Directory Domain Services Tools, Active Directory Domain Controller Tools. For details about installing Remote Server Administration Tools, see Installing Remote Server Administration Tools for Windows Server 2008.
To use Setup.exe to grant setup permissions
Log on to a computer in the domain where you want to grant permissions. Use an account that is a member of the Domain Admins group or that has equivalent user rights.
From the Office Communications Server installation folder or CD, run SetupEE.exe (for Enterprise Edition server consolidated configuration) or SetupSE.exe (for Standard Edition server) to start the deployment tool.
Click Prepare Environment.
Click Prepare Active Directory.
Click Delegate Setup and Administration.
At Delegate Setup Tasks, click Run.
On the Welcome page, click Next.
On the Authorize Group page, in Select Trustee domain, specify the domain that contains the group to which you want to delegate permissions.
In Name of existing group, type the name of the group to which you want to delegate permissions, and then click Next.
Note
This group must be a universal group or a global group. It cannot be a domain local group.
On the Location of Computer Objects for Deployment page, type the distinguished name (DN) of the organizational unit (OU) or container that hosts the computer objects on which Office Communications Server will be deployed.
Note
You can use the ADSI Edit tool to navigate to the properties of the group, and then copy and paste the DN of the group into the wizard.
On the Service Account page, type the Session Initiation Protocol (SIP) service account and component service account that will be used by Office Communications Server.
On the Ready to Perform Setup Delegation page, verify your settings, and then click Next.
When the wizard is complete, click Finish.
Add the new trustee group to the Local Administrators group of each server where you want to install Office Communications Server and the computer running the SQL Server back-end database server for any Enterprise pools.
If, in your organization, Authenticated Users security group permissions have been removed from Active Directory, you must either add the new trustee group for setup tasks to RTCUniversalServerAdmins or manually grant Read permissions to the trustee group for the following containers in the forest root:
- Forest root domain
- Forest root domain System container
- Configuration container
- Root of the domain where permissions is delegated
- Parent containers of computer objects and service account objects
Open a command prompt, and then type
whoami.exe /allto verify that the user has appropriate permissions. The output should be similar to the following:Everyone Well-known group S-1-1-0 BUILTIN\Administrators Alias S-1-5-32-544 BUILTIN\Users Alias S-1-5-32-545 NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 NT AUTHORITY\This Organization Well-known group S-1-5-15 LOCAL Well-known group S-1-2-0 CONTOSO\RTCUniversalUserReadOnlyGroup Group S-1-5-21-4264192570- CONTOSO\RTCUniversalGlobalWriteGroup Group S-1-5-21-4264192570- CONTOSO\RTCUniversalGlobalReadOnlyGroup S-1-5-21-4264192570- CONTOSO\RTCUniversalServerReadOnlyGroup S-1-5-21-4264192570- CONTOSO\RTCSetupDelegate S-1-5-21-4264192570- CONTOSO\CERTSVC_DCOM_ACCESS Alias S-1-5-21-4264192570-
To use LcsCmd.exe to grant permissions
Log on to a computer running Office Communications Server in the domain where you want to grant permissions. Use an account that is a member of the Domain Admins group or that has equivalent credentials.
Open a command prompt and then type the following command:
LCSCmd.exe /Domain[:<domain FQDN>] /Action:CreateDelegation /Delegation:SetupAdmin /TrusteeGroup:<name of the universal group that you will delegate to> /TrusteeDomain:<FQDN of the domain where the trustee group resides> /ServiceAccount:<RTC service account name> /ComponentServiceAccount:<RTC component service account name> /ComputerOU:<DN of the OU or container where the computer objects that will run Office Communications Server reside>Where:
TrusteeGroup is the group to which you are granting permissions.
TrusteeDomain is the domain in which the trustee group resides.
ServiceAccount is the Real-time Communications (RTC) service account name
ComponentServiceAccount is the RTC component service account name.
ComputerOU specifies the DN of the OU containing the computers on which the trustee group can run Office Communications Server setup tasks.
Add the new trustee group to the Local Administrators group of each computer where you want to install Office Communications Server and the computer running the SQL Server back-end database server for any Enterprise pools.
If, in your organization, Authenticated Users security group permissions have been removed from Active Directory Domain Services (ADĀ DS), you must either add the new trustee group for setup tasks to RTCUniversalServerAdmins or manually grant Read permissions to the trustee group for the following containers in the forest root:
Forest root domain
Forest root domain System container
Configuration container
Root of the domain where permissions is delegated
Parent containers of computer objects and service account objects
Open a command prompt and then type
whoami.exe /allto verify the user has appropriate permissions. The output should be similar to the following:Everyone Well-known group S-1-1-0 BUILTIN\Administrators Alias S-1-5-32-544 BUILTIN\Users Alias S-1-5-32-545 NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 NT AUTHORITY\This Organization Well-known group S-1-5-15 LOCAL Well-known group S-1-2-0 CONTOSO\RTCUniversalUserReadOnlyGroup Group S-1-5-21-4264192570- CONTOSO\RTCUniversalGlobalWriteGroup Group S-1-5-21-4264192570- CONTOSO\RTCUniversalGlobalReadOnlyGroup S-1-5-21-4264192570- CONTOSO\RTCUniversalServerReadOnlyGroup S-1-5-21-4264192570- CONTOSO\delegatedLSSetup Group S-1-5-21-4264192570- CONTOSO\CERTSVC_DCOM_ACCESS Alias S-1-5-21-4264192570-